mailnow.aimailnow.aiBack to home

Privacy Policy

Last updated: May 9, 2026

This Privacy Policy explains how Incorporate Now Inc ("mailnow.ai," "we," "us," or "our") collects, uses, shares, and protects information about you when you use the mailnow.ai website and services (the "Service"). We've tried to write this in plain English. If you have questions, email us at legal@mailnow.ai.

1. Who we are

The Service is operated by Incorporate Now Inc, a Florida corporation, doing business as mailnow.ai. Our business address is:

Incorporate Now Inc
100 S. Dixie Hwy., 3rd Floor
West Palm Beach, FL 33401
United States

For all privacy-related questions, requests, or complaints, please contact us at legal@mailnow.ai.

2. Scope

This Privacy Policy applies to the mailnow.ai web application and all related services we provide, including virtual mailbox services, mail scanning and processing, check deposit services, and related notifications. It does not apply to third-party websites, applications, or services that may be linked from the Service. Those third parties have their own privacy practices, and we encourage you to read them before sharing your information.

Where you use the Service on behalf of an organization (a "Customer"), we generally act as a "data processor" or "service provider" with respect to the contents of mail and checks we handle for that organization, and the organization is the "data controller" or "business." For your own account profile and direct interactions with us (for example, when you sign up, contact support, or pay an invoice), we act as the data controller.

3. Information we collect

We collect information from several different sources, summarized below.

3.1 Information you give us directly

  • Account profile: your name, email address, and profile image, which we synchronize from our authentication provider when you sign up or sign in.
  • Authentication credentials: the password and second-factor information you set with our authentication provider. Passwords are stored and verified by that provider; mailnow.ai never sees your raw password.
  • Business information: your company name, suite or unit numbers, alternative or "doing business as" names, mailing address, and any other information you add to your Customer profile so we can recognize and route your mail.
  • Billing information: your payment card and billing details are collected and stored directly by our payment processor. mailnow.ai never sees full card numbers; we receive only the limited identifiers and metadata the payment processor returns to us (such as last four digits, brand, and a customer identifier).
  • Communications: the contents of emails, support messages, and any other correspondence you send us.

For the current named vendors that fill the authentication-provider and payment-processor roles described above, see our Subprocessors page.

3.2 Information from physical mail and checks we receive on your behalf

Default mail handling: by default, we open and scan every Mail Item we receive on your behalf — we do not offer an envelope-only mode or a scan-on-request mode. As a result, the contents of that mail are an unavoidable part of what we collect. This includes:

  • The full contents of mail pieces (envelopes, letters, statements, notices, and enclosures), including any sensitive, personal, financial, legal, tax, or medical information they happen to contain.
  • Sender names, return addresses, and any contact details visible on the mail.
  • Text extracted by optical character recognition ("OCR") from scanned mail.
  • Structured fields and AI-generated summaries, category labels, and matching suggestions derived from that text.
  • For checks specifically: payee names, check amounts, check numbers, check dates, issuer or payer names and addresses, memo lines, signatures of the issuer, and the bank routing and account numbers visible on the face of every check.
  • Page rotations, page-by-page metadata, and blank-page detection results.
  • Scanned images of any physical signatures or other handwritten content captured in the course of check deposit.

We treat the contents of your mail and checks as confidential and apply the security measures described in section 10.

3.3 Information from your use of the Service

  • Page views, feature usage, search queries within the Service, and other interaction events.
  • Request logs, IP address, user agent string, and basic device and browser information.
  • Server-side error traces and diagnostic logs we generate when the Service encounters problems.
  • Audit logs of administrative actions taken on records you can access.

3.4 Information from notification and email delivery

  • Email delivery status events from our email delivery provider — for example whether a message was delivered, opened, deferred, bounced, or marked as spam — along with the provider's message identifier we use to correlate those events.

4. How we use information

We use the information described above for the purposes below. Where the EU/UK GDPR applies, we have indicated the legal basis for each purpose in brackets.

  1. To operate and provide the Service — receive, scan, classify, and route mail; deposit checks; allow you to sign in; deliver notifications. [Performance of a contract.]
  2. To process check deposits at your request, including transmitting check images and metadata to your bank or the bank's deposit channel. [Performance of a contract.]
  3. To send transactional and notification emails about new mail, new checks, deposit status, billing events, and changes to assigned deposits. [Performance of a contract; legitimate interests.]
  4. To provide customer support and respond to your inquiries. [Performance of a contract; legitimate interests.]
  5. To secure the Service and prevent abuse, including authentication, audit logging, fraud prevention, and incident investigation. [Legitimate interests; legal obligation.]
  6. To comply with legal obligations, including financial recordkeeping, tax reporting, anti-money-laundering and sanctions screening, responding to lawful requests, and enforcing our Terms of Service. [Legal obligation.]
  7. To improve the Service through aggregated and de-identified analytics, error monitoring, and product research. [Legitimate interests.]
  8. To communicate product updates, security advisories, and (with your consent or where permitted by law) occasional information about new features. You can opt out of non-essential product communications at any time. [Consent or legitimate interests, depending on jurisdiction.]

5. AI processing disclosure

To extract text, summarize content, and suggest categories and senders for your mail and checks, we send the contents of mail items and checks (including OCR text and, where needed, page images) to our AI processing provider through its API.

Our AI processing provider has contractually committed that data submitted through its API is not used to train its models and is retained only for limited operational purposes (typically up to 30 days for abuse monitoring), unless we have separately negotiated zero-data-retention. Our integration is configured to rely on those API-tier (business) protections; we do not knowingly send any personally-identifiable data beyond what is already on the mail piece itself.

For the current named AI processing provider and a link to its data-usage policy, see our Subprocessors page.

6. Cookies and similar technologies

We use a small number of cookies and similar browser-storage technologies to keep you signed in, remember your preferences, and (where you have agreed to it) measure how the Service is used so we can improve it. You can manage your cookie preferences at any time using the "Cookie preferences" link in the page footer. For full details, see our Cookie Policy.

7. How we share information

We share personal information only with the following categories of recipients:

  • Service providers and subprocessors who help us operate the Service — including hosting, identity, storage, email delivery, payment processing, OCR/AI, and customer support. The current list is at /legal/subprocessors.
  • Your bank, when we are depositing a check on your behalf at your request — we share the check image and the metadata required to make the deposit.
  • Law enforcement, regulators, and courts, when we are required to do so by law, valid legal process, or to protect against imminent harm.
  • Acquirers, in the event of a merger, acquisition, financing, or sale of all or part of our assets — in which case we will provide notice before any of your personal information becomes subject to a different privacy policy.
  • With your consent, in any other case where you specifically ask or authorize us to share information.

We do not sell or share personal information for cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), and we have not done so in the preceding 12 months.

8. International data transfers

We are based in the United States, and the personal information we collect is processed and stored in the United States and in other jurisdictions where our service providers operate. If you are located in the European Economic Area, the United Kingdom, or Switzerland, transfers of your personal information to the United States are made under the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the UK International Data Transfer Addendum to the SCCs. We supplement those clauses with appropriate technical and organizational measures, including encryption in transit and at rest, role-based access controls, audit logging, and contractual confidentiality obligations on our subprocessors.

9. Data retention

We retain personal information only as long as we need it for the purposes described in this Policy, and as required by law. The following retention periods apply per category:

  • Account information — kept for as long as your account is active. If your account is closed, we retain account records for the period needed to meet our legal, tax, and recordkeeping obligations (see check deposit records and mail items above), after which they are deleted or de-identified.
  • Mail items and check images — kept for the period configured by the Customer, or for 7 years (the baseline US tax and financial recordkeeping period), whichever is longer.
  • Check deposit records (deposit metadata, deposit receipts, and deposit history) — kept for at least 7 years.
  • Items you delete — moved to a Trash area and kept there for 30 days, after which they are permanently deleted from primary storage.
  • Backups — overwritten on a 30-day rolling cycle. An item you delete may continue to exist in encrypted backups for up to 30 days before being overwritten.
  • Aggregated and de-identified analytics — may be retained indefinitely, because they no longer identify you.

We may retain information longer when we are required to do so by law, when there is an ongoing legal dispute, or when retention is necessary to investigate security incidents or fraud.

10. Security

We use a layered approach to protect personal information, including:

  • Encryption in transit (TLS) for all connections to the Service.
  • Encryption at rest for stored documents and database contents, and additional encryption for credentials we store on your behalf.
  • Role-based access control with the principle of least privilege.
  • Tenant isolation so that one Customer's data is not accessible to another Customer.
  • Audit logging of administrative actions.
  • Periodic review of access, dependencies, and configuration.

No system is perfectly secure. If we ever experience a personal data breach that is likely to result in risk to you, we will notify you and the appropriate regulators as required by law.

11. Your rights — global baseline

Subject to applicable law, you have the right to:

  • Access the personal information we hold about you.
  • Correct information that is inaccurate or out of date.
  • Delete personal information.
  • Receive a copy of your personal information in a portable format.
  • Restrict or object to certain processing.
  • Withdraw consent where processing is based on consent (without affecting the lawfulness of processing before withdrawal).
  • Not be subject to a decision based solely on automated processing that produces legal or similarly significant effects. mailnow.ai's AI categorization, sender suggestions, and matching are designed as decision-support tools only and are reviewed by our team and/or by you before any consequential action (such as depositing a check) is taken; they are not solely automated decision-making within the meaning of GDPR Article 22.
  • Lodge a complaint with a data protection supervisory authority.

To exercise any of these rights, email us at legal@mailnow.ai. We will verify your identity before responding (typically by confirming control of the email address on the account) and will respond within 30 days. If we need additional time, we will tell you why and when to expect a response.

12. Your rights — EU/EEA, UK, and Switzerland (GDPR)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the rights described in section 11 under the EU General Data Protection Regulation, the UK GDPR, and the Swiss Federal Act on Data Protection, including the right to lodge a complaint with your local supervisory authority.

For your direct interactions with us (your account profile, billing, and support history), Incorporate Now Inc is the data controller. For the contents of mail and checks we handle on behalf of a Customer organization, Incorporate Now Inc acts as a data processor, and the Customer organization is the data controller; the controlling document for that processing is our Data Processing Agreement.

We have not yet appointed a representative in the EU under Article 27 GDPR. We will appoint an EU representative before offering the Service to data subjects located in the EU/EEA in any meaningful volume, and we will update this Policy with that representative's contact information at that time.

13. Your rights — California (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA/CPRA):

  • Right to know what categories and specific pieces of personal information we have collected about you, the sources, the business purposes, and the categories of recipients.
  • Right to delete personal information we have collected about you, subject to legal exceptions (for example, records we must keep for tax or anti-money-laundering purposes).
  • Right to correct inaccurate personal information.
  • Right to opt out of the sale or sharing of personal information for cross-context behavioral advertising. As stated in section 7, we do not sell or share personal information in this sense and have not done so in the preceding 12 months.
  • Right to limit use of sensitive personal information to what is necessary to provide the Service. We do not use sensitive personal information for any purpose other than providing and securing the Service and complying with the law.
  • Right to non-discrimination for exercising any of these rights.

The categories of personal information we have collected in the preceding 12 months are:

  • Identifiers — name, email address, IP address, account identifiers (collected from you and from our authentication provider; used to operate and secure the Service).
  • Customer records as defined under Cal. Civ. Code § 1798.80(e) — business name, mailing address, signature, financial information including bank account and routing numbers (collected from you and from mail and checks; used to operate the Service and process deposits).
  • Commercial information — billing history and customer identifiers issued by our payment processor (collected from our payment processor; used for billing).
  • Internet or network activity — request logs, page views, feature usage (collected from your use of the Service; used to operate, secure, and improve the Service).
  • Geolocation data — coarse location inferred from IP address only (collected from your use of the Service; used for security).
  • Professional/employment information — your role within your organization, where you provide it (collected from you).
  • Inferences — AI-generated category labels and sender suggestions for mail (derived from mail contents; used to operate the Service).
  • Sensitive personal information — for our purposes specifically includes:
    • Account login credentials (managed by our authentication provider; passwords are not visible to us).
    • Financial account numbers, including bank routing and account numbers visible on checks we receive on your behalf.
    • Contents of mail addressed to you that is not addressed to the public, including any information it contains about health, finances, legal matters, or other sensitive topics.
    • Credentials for connected services that you provide so we can act on your behalf.

We retain each of these categories for the periods described in section 9. To exercise any of your California rights, email legal@mailnow.ai. You may use an authorized agent; we will require written proof of authorization and verification of your own identity.

14. Your rights — other US states

Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, and other US states with comprehensive consumer privacy laws have substantially similar rights to those described above, including the right to access, correct, delete, and obtain a portable copy of personal information, the right to opt out of targeted advertising and the sale of personal information (which we do not engage in), and the right to appeal a denied request. To exercise any of these rights, email legal@mailnow.ai.

15. Children

The Service is not directed to anyone under 18 years of age, and we do not knowingly collect personal information from children. If we learn that we have collected personal information from a child without verified parental consent, we will delete it. If you believe we may have done so, please email legal@mailnow.ai.

16. Do Not Track and Global Privacy Control

Because there is no industry consensus on how to interpret browser "Do Not Track" (DNT) signals, we do not currently respond to DNT headers. We do honor Global Privacy Control (GPC) signals where applicable as an opt-out-of-sale and opt-out-of-sharing signal — but, as noted above, we do not sell or share personal information in the first place, so a GPC signal does not change our processing.

17. Changes to this policy

We may update this Privacy Policy from time to time. The current version is always posted on this page, and the "Last updated" date at the top reflects the most recent revision. You are responsible for periodically reviewing this Policy to stay informed of any updates. Where reasonably practicable, we will use commercially reasonable efforts to notify you of material changes by email or through an in-app notice before the change takes effect, but such notice is provided as a courtesy and is not guaranteed. Continued use of the Service after the change becomes effective means you accept the updated Policy.

18. Contact

For any privacy question, request, or complaint:

Incorporate Now Inc — Privacy
100 S. Dixie Hwy., 3rd Floor
West Palm Beach, FL 33401
United States
Email: legal@mailnow.ai

Data subjects in the EU/EEA may also contact our future EU representative once appointed, as described in section 12. Until then, please write to us at the address above and we will respond directly.